Bug 896262 (CVE-2014-3631) - VUL-0: CVE-2014-3631: kernel: keys: incorrect termination condition in assoc array garbage collection
Summary: VUL-0: CVE-2014-3631: kernel: keys: incorrect termination condition in assoc ...
Status: RESOLVED FIXED
Alias: CVE-2014-3631
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other SLES 12
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Joey Lee
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/106051/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-11 14:34 UTC by Marcus Meissner
Modified: 2014-09-19 05:12 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
0001-KEYS-Fix-termination-condition-in-assoc-array-garbag.patch (4.60 KB, patch)
2014-09-16 04:06 UTC, Joey Lee 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-11 14:34:39 UTC 
via rh#1140325

A flaw was found in the way the termination condition in the associative array
garbage collection functionality was handled when used from the keys subsystem.

A local unprivileged user could use this flaw to crash the system.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b2a4df200d570b2c33a57e1ebfa5896e4bc81b69


https://bugzilla.redhat.com/show_bug.cgi?id=1140325
Comment 1 Marcus Meissner 2014-09-11 14:35:05 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1140325 references a proposed patch.
Comment 2 Marcus Meissner 2014-09-11 14:36:37 UTC 
https://lkml.org/lkml/2014/9/10/788
Comment 3 Swamp Workflow Management 2014-09-11 22:00:18 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2014-09-12 09:45:15 UTC 
introduced in 3.12, so SLE12 only.
Comment 5 Joey Lee 2014-09-15 15:48:52 UTC 
(In reply to comment #2)
> https://lkml.org/lkml/2014/9/10/788

This patch merged by Linus in v3.17-rc5:

commit 95389b08d93d5c06ec63ab49bd732b0069b7c35e
Author: David Howells <dhowells@redhat.com>
Date:   Wed Sep 10 22:22:00 2014 +0100

    KEYS: Fix termination condition in assoc array garbage collection
    
    This fixes CVE-2014-3631.


I will backport this patch and send to kernel@suse.de for review.
Comment 6 Joey Lee 2014-09-16 04:06:41 UTC 
Created attachment 606448 [details]
0001-KEYS-Fix-termination-condition-in-assoc-array-garbag.patch

Backported patch, sent to kernel@suse.de for review
Comment 7 Joey Lee 2014-09-19 05:12:09 UTC 
Patch merged to SLE-12 kernel, set to FIXED.